Fuse Networks Blog

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

Phishing Attacks Are Besting Two-Factor Authentication--Now What?

What has proven to be one of the more effective ways of preventing phishing attacks may be under fire from more advanced threats designed specifically to penetrate the defenses of two-factor authentication. This means that users need to be more cognizant of avoiding these attacks, but how can you help them make educated decisions about this? Let’s start by discussing the phishing attacks that can beat 2FA.

How Has Two-Factor Authentication (2FA) Been Defeated?

There are several methods used by hackers to bypass the security benefits of 2FA. Some phishing attempts have managed to find success in convincing users to have over both their credentials and the 2FA code that is generated by a login attempt. As reported by Amnesty International, one group of hackers has been sending out phishing emails that link the recipient to a convincing fake page to reset their Google password. Sometimes fake emails can be quite convincing, making the trickery much more difficult to identify.

As Amnesty International looked into the attacks, they found that the attacks were using an automated solution to launch Chrome and submit information the user entered into their end. This meant that the 30-second time limit imposed by 2FA was of no concern.

In November 2018, an application on a third-party app store posed as an Android battery utility tool was found to be stealing funds from a user’s PayPal account. The application would change the device’s Accessibility settings to enable an accessibility overlay feature. Once it was in place, the user’s clicks would be mimicked, giving hackers the ability to send funds to their own PayPal account.

Yet another method of attack was shared publicly by Piotr Duszynski, a Polish security researcher. This method, named Modlishka, created a reverse proxy that intercepted and recorded credentials as the user attempted to plug them into an impersonated website. Modlishka would then send the credentials to the real website to hide the fact that the user’s credentials were in fact stolen. Even worse yet, if the person using Modlishka is nearby, they can steal the 2FA credentials and use them very quickly.

Protect Yourself Against 2FA Phishing Schemes

The first step toward preventing 2FA phishing attacks is to make sure you actually have 2FA implemented in the first place. While it might not seem like much of a help (after all, these attacks are designed to work around them), it is much preferable to not having 2FA at all. The most secure method of 2FA at the moment uses hardware tokens with U2F protocol. Most important of all, however, is that your team needs to be trained on the giveaway signs of phishing attacks. With these attempts that target 2FA solutions, it might not be immediately apparent, which is why it’s all the more important to remain vigilant.

At its heart, 2FA phishing is just like regular phishing, plus an additional step to bypass or replicate the secondary authentication method. Here are a few tips to ensure best practices are followed regarding phishing attempts:

  • First, check to make sure that the website you’re using is actually the one it claims to be. For example, if you’re logging in to your Google account, the login URL wouldn’t be something like logintogoogle.com. You wouldn’t believe how often spoofers will fool users in this way.
  • To help you better understand other signs of phishing attacks, check out this phishing identification skills quiz by Alphabet, Inc. We encourage your staff also look into it.

To learn more about phishing attacks, be sure to subscribe to our blog.

Tip of the Week: Using Cloud Services for Your Bus...
Interpreting Analytics Isn’t Always Cut and Dry


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Saturday, April 20 2019

Captcha Image

Newsletter Sign Up

  • No-Spam Guarantee: We hate spam as much or more than you do and will NEVER rent, share or give your information away to anyone else. We will only use your information to communicate with you direct, and you can also remove yourself from our list at any time with a simple click..
  • Company Name *
  • First Name *
  • Last Name *

      Mobile? Grab this Article!

      QR-Code dieser Seite

      Tag Cloud

      Tip of the Week Security Technology Best Practices Business Computing Tech Term Network Security Hackers Privacy Innovation Productivity User Tips Data Backup Android Cybersecurity Computer Collaboration Data Efficiency Software IT Support Data recovery Communication Google Email Communications IT Services Mobile Device Malware Hardware Internet Business Management Small Business Hosted Solutions Smartphone Phishing Office 365 VoIP Mobile Devices Artificial Intelligence Microsoft Office Information Browser Automation Blockchain Backup Cybercrime Social Media Business Smartphones Cost Management Applications Facebook Two-factor Authentication Access Control Managed Service Business Technology Cloud Computing Cloud Network Windows 10 Saving Money Maintenance Vulnerability Internet of Things Mobile Device Management Ransomware BDR Vulnerabilities Scam Passwords Data Security Apps Holiday Workplace Tips Mobility Healthcare Printer Data Breach Users Conferencing Virtual Assistant Alert Quick Tips Patch Management Upgrade Bandwidth IT Management Disaster Recovery Google Maps Social Engineering Remote Monitoring Hacking Data loss Update Outsourced IT Saving Time Gmail Cooperation Microsoft Augmented Reality App Managed IT services Websites Analytics Apple Tech Terms Vendor Document Management Bitcoin Gadgets Budget email scam HTML Cortana Screen Reader News Mobile Technology IT Retail Equifax Service Level Agreement Digital Multi-factor Authentication WiFi Microchip Nanotechnology project management Piracy Proxy Server Television Data Management Managed Service Provider Unified Communications Entertainment Emails Business Cards Regulations Business Continuity Sports Google Docs Router Social Network Big Data Startup Going Green eWaste VPN Disaster Tech Monitoring Website Fake News Virtual Reality Audit Support Windows 7 Device security Processor Operating System Travel Miscellaneous Money Software License Help Desk Mouse PowerPoint Machine Learning Printing Data Analysis Bluetooth Modem Paperless Office Customer Resource management Excel Antivirus Microsoft 365 Download Robot Data Protection Emergency Term Management Microsoft Excel Company Culture CIO Spam Navigation Username Vendor Management Professional Services Network Management Government Fileless Malware Wireless Headphones Content User Tip SSID Database Telephone System Windows 10 Tip of the week Computer Care Bookmark Solutions Upload Google Play Chromebook Computing Identity Theft Hard Drive Virtualization Fuse Networks Distributed Denial of Service Information Technology Voice over Internet Protocol Accountants Encryption Legal Directions Cleaning BYOD Comparison Tactics Electronic Medical Records Managed IT Services Mobile Security Browsers Integration Legislation Trends Computing Infrastructure Devices Knowledge Health IT Google Calendar Security Cameras Backup and Disaster Recovery Error Cryptocurrency Laptop Hard Drive Disposal Server Downloads Evernote Freedom of Information NCSAM iPhone Training Law Enforcement Cost Computers SharePoint Downtime Specifications Medical IT Addiction Gamification Networking Compliance Social Twitter Telephone Productivity Desktop Regulation Competition Customer Relationship Management IP Address Hiring/Firing Customer Service Managing Stress Mobile Office Domains Fun Employer-Employee Relationship Multi-Factor Security Wireless Public Speaking Presentation Wi-Fi Hard Drives Lithium-ion battery Printers Search Tech Support Wireless Technology 5G Safety IBM Transportation Marketing Hacker The Internet of Things